spuru9 opened a new pull request, #28072: URL: https://github.com/apache/flink/pull/28072
## What is the purpose of the change Bumps four Flink-controlled Java dependencies in the root `pom.xml` to resolve known CVEs disclosed since the last dependency refresh. Scope is limited to dependencies Flink declares or pins itself; CVEs that come in via Hadoop, kubernetes-client, or kafka-clients transitives are deliberately out of scope and tracked separately, since they require parent-dependency upgrades rather than transitive overrides. ## Brief change log - `log4j-core` 2.25.3 → 2.25.4 — fixes CVE-2026-34477, CVE-2026-34478, CVE-2026-34480 - `jackson-bom` 2.20.1 → 2.21.1 — fixes GHSA-72hv-8253-57qq for non-shaded Jackson uses. Note: `flink-shaded-jackson` still bundles 2.20.1 internally and requires a separate upstream release in `apache/flink-shaded` to update. - `assertj-core` 3.27.3 → 3.27.7 (test scope) — fixes CVE-2026-24400 - `netty-bom` 4.2.6.Final → 4.2.11.Final — single bump cascades to every `netty-codec-*` artifact via the BOM, fixing CVE-2025-59419, CVE-2025-67735, CVE-2026-33870, CVE-2026-33871 ## Verifying this change This change is already covered by existing tests — the entire Flink test suite exercises log4j, Jackson, AssertJ, and Netty paths transitively. CI (`mvn clean verify`) is the verification surface; no behavior changes are introduced beyond the version bumps themselves. ## Does this pull request potentially affect one of the following parts: - Dependencies (does it add or upgrade a dependency): **yes** - The public API, i.e., is any changed class annotated with `@Public(Evolving)`: no - The serializers: no - The runtime per-record code paths (performance sensitive): no (within-line patch bumps only) - Anything that affects deployment or recovery: JobManager (and its components), Checkpointing, Kubernetes/Yarn, ZooKeeper: no - The S3 file system connector: no ## Documentation - Does this pull request introduce a new feature? no --- ##### Was generative AI tooling used to co-author this PR? - [X] Yes (please specify the tool below) Generated-by: Claude Code -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
